./my-certbot --help
...
obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near
...

obtain, install, and renew certificates: (default) run Obtain & install a certificate in your current webserver certonly Obtain or renew a certificate, but do not install it renew Renew all previously obtained certificates that are near

I’m betting that the use of certonly is why I have a -0001 and a -0002; and the update is taking place in -0002 while live is linked (somehow) to -0001. I sure do seem to be accumulating a lot of privkey#.pem.

That’s probably why the updates aren’t happening where you expect. Certbot never updates certificate lineages whose renewal configuration files have been deleted because as far as it’s concerned, those certificates are no longer managed by Certbot at all.

One option is to change your web server configuration to point at the -0002 version, which you’ve observed is updating properly.